diff --git a/README.md b/README.md index d1bc0afbb42..7b86f15d06d 100644 --- a/README.md +++ b/README.md @@ -270,7 +270,7 @@ Run an SCA scan of packages in a repo: checkov -d . --framework sca_package --bc-api-key ... --repo-id ``` -Run a scan of a directory with environment variables removing buffering, adding info level logs, turning on image referencer: +Run a scan of a directory with environment variables removing buffering, adding debug level logs, turning on image referencer: ```sh PYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG CHECKOV_EXPERIMENTAL_IMAGE_REFERENCING=TRUE checkov -d . ``` diff --git a/docs/3.Custom Policies/Python Custom Policies.md b/docs/3.Custom Policies/Python Custom Policies.md index 7871ec94857..9ca8225e03a 100644 --- a/docs/3.Custom Policies/Python Custom Policies.md +++ b/docs/3.Custom Policies/Python Custom Policies.md @@ -16,13 +16,13 @@ Read also how to [create custom YAML Policies for attribute and composite scanni Specify a `name`, `ID`, `relevant resources` and `categories`. -| Parameter | Description | Example/Comments | -| -------- | -------- | -------- | -| ``name`` | A new policy's unique purpose. It should ideally specify the positive desired outcome of the policy. | | -| ``id`` | A mandatory unique identifier of a policy. Native policies written by Bridgecrew contributors will follow the following convention: -``CKV_providerType_serialNumber`` | `CKV_AWS_9` , `CKV_GCP_12` | -| ``supported_resources`` | Infrastructure objects, as described in the scanned IaC's language. This usually contains one specific resource block. If you support multiple resources, you can use `*` to match any type of entity in that specific domain. | `*` use depends on which check base class you extend; see note below table. `?ws_*` will match anything where the second character is a `'w'`, the third is a `'s'` and the fourth is a `'_'`. | -| ``categories`` | Categorization of a scan. Usually used to produce compliance reports, pipeline analytics and infrastructure health metrics, etc. | | +| Parameter | Description | Example/Comments | +|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ``name`` | A new policy's unique purpose. It should ideally specify the positive desired outcome of the policy. | | +| ``id`` | A mandatory unique identifier of a policy. Native policies written by Bridgecrew contributors will follow the following convention: ``CKV_providerType_serialNumber`` | `CKV_AWS_9` , `CKV_GCP_12` | +| ``supported_resources`` | Infrastructure objects, as described in the scanned IaC's language. This usually contains one specific resource block. If you support multiple resources, you can use `*` to match any type of entity in that specific domain. | `*` use depends on which check base class you extend; see note below table. `?ws_*` will match anything where the second character is a `'w'`, the third is a `'s'` and the fourth is a `'_'`. | +| ``categories`` | Categorization of a scan. Usually used to produce compliance reports, pipeline analytics and infrastructure health metrics, etc. | | +| ``guideline`` | (Optional) Add extra info to help the user to solve the issue. | This is not needed | **Note for Supported Resources Parameter:** If you extend `checkov.terraform.checks.resource.base_resource_check.BaseResourceCheck`, the check is registered for all Terraform resources. @@ -243,7 +243,8 @@ class S3PCIPrivateACL(BaseResourceCheck): supported_resources = ['aws_s3_bucket'] # CheckCategories are defined in models/enums.py categories = [CheckCategories.BACKUP_AND_RECOVERY] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + guideline = "Follow the link to get more info https://docs.bridgecrew.io/docs" + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline) def scan_resource_conf(self, conf): """ @@ -278,21 +279,22 @@ checkov -d . --external-checks-dir my_extra_checks ``` Verify the results: -```python +```shell Check: "Ensure PCI Scope buckets has private ACL (enable public ACL for non-pci buckets)" FAILED for resource: aws_s3_bucket.credit_cards_bucket File: /main.tf:80-90 + Guide: Follow the link to get more info https://docs.bridgecrew.io/docs 80 | resource "aws_s3_bucket" "credit_cards_bucket" { - 81 | region = var.region - 82 | bucket = local.bucket_name - 83 | acl = "public-read" - 84 | force_destroy = true - 85 | - 86 | tags = { - 87 | Scope = "PCI", - 88 | - 89 | } + 81 | region = var.region + 82 | bucket = local.bucket_name + 83 | acl = "public-read" + 84 | force_destroy = true + 85 | + 86 | tags = { + 87 | Scope = "PCI", + 88 | + 89 | } 90 | } ``` diff --git a/docs/8.Outputs/JUnit XML.md b/docs/8.Outputs/JUnit XML.md index 07cc523fe6c..773029876cf 100644 --- a/docs/8.Outputs/JUnit XML.md +++ b/docs/8.Outputs/JUnit XML.md @@ -126,7 +126,10 @@ SCA Base Score: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Risk Factors: ["Has fix", "High severity", "Attack complexity: low", "Attack vector: network", "DoS"] - + Fix Details: + Status: fixed in 2.8.1 + Fixed Version: 2.8.1 + Resource: package-lock.json.connect File: /package-lock.json: 0-0 @@ -141,6 +144,9 @@ SCA Link: Vector: Risk Factors: + Fix Details: + Status: + Fixed Version: Resource: File: @@ -223,7 +229,10 @@ SCA Base Score: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Risk Factors: ["Has fix", "High severity", "Attack complexity: low", "Attack vector: network", "DoS"] - + Fix Details: + Status: fixed in 2.8.1 + Fixed Version: 2.8.1 + Resource: package-lock.json.connect File: /package-lock.json: 0-0